MuddyWater expands Rust‑based operations and exposes build artefacts

Threat summary

Research from January 2026 shows MuddyWater, an Iran‑aligned threat group, expanding its operations with new Rust‑based tooling delivered via macro‑enabled Microsoft Word documents.

The group has been deploying a Rust‑based implant known as RustyWater in espionage campaigns targeting diplomatic, maritime, financial, and telecommunications organizations across the Middle East.

The campaign relies on spearphishing emails containing malicious documents that use icon spoofing to appear legitimate. Once opened, the documents trigger a multi‑stage infection chain that installs RustyWater, enabling command‑and‑control communication, registry‑based persistence, and modular post‑compromise activity.

The group is increasingly favoring custom malware families, moving away from earlier PowerShell and Visual Basic Script loaders and legitimate remote access tools.

A separate analysis of a related Rust sample exposes extensive development artefacts embedded in the binary, including Windows user paths, Rust toolchain identifiers, compiler commit hashes, and module structure.

These details point to a Windows-based development environment with limited build sanitization. The artefacts provide insight into the group’s development workflow and create opportunities for defenders to cluster related activity, even as infrastructure and malware families change.

Insights & mitigations

MuddyWater continues to rely on macro-enabled documents because document-based delivery remains a consistent and effective initial access method. The shift to Rust offers operational advantages, including lower detection rates, cross-platform flexibility, and modular code structures that support rapid updates. The exposed build artefacts indicate a development workflow optimized for speed and reuse, even at the expense of operational security.

And while RustyWater and the exposed build artefacts show that MuddyWater is modernizing its development stack, the infection chain still depends on user interaction, macro execution, and predictable post-exploitation behaviors.

Rust-based implants may evade signature-driven tools, but the group’s reliance on macro-enabled documents, command-line execution, registry persistence, and network beacons creates consistent behavioral signals that remain detectable even as the underlying malware changes.

Mitigation involves tightening macro restrictions across endpoints, limiting execution from writable directories such as ProgramData, and deploying behavioral monitoring capable of detecting payload reconstruction, command-line execution chains, and registry persistence. Strengthening email filtering and attachment scanning reduces exposure to malicious documents, while user training focused on identifying suspicious documents and unexpected macro prompts lowers the likelihood of successful social engineering.

Field Effect MDR mitigates threats like RustyWater by continuously monitoring endpoint behavior, network activity, and user actions to detect the techniques MuddyWater relies on—rather than the specific malware family it deploys.

The platform identifies key indicators across the attack chain, including suspicious document activity, macro execution, payload reconstruction, and command-line launches from locations such as ProgramData. It also detects registry-based persistence, anomalous command-and-control communications, and lateral movement attempts following initial compromise.

By correlating these behaviors in real time and disrupting malicious activity early, Field Effect MDR prevents attackers from establishing persistence, deploying additional tools, or maintaining long-term access even as MuddyWater evolves its malware and development practices.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up